LWN.net Logo

LWN.net Weekly Edition for September 6, 2007

OOXML loses a battle

By Jake Edge
September 5, 2007

The latest round in the battle for office document formats has gone against Microsoft's Office Open XML (OOXML) submission. It certainly won't be the last we hear about it, as there is another vote in February, but it does, at least, slow down the fast-track proposal for making the format an international standard. The process has been anything but regular, with allegations of ballot box stuffing in Sweden and last minute voting class changes by eleven countries. These kinds of shenanigans do very little to enhance the reputation of the International Organization for Standardization (ISO) nor do they promote confidence in their standards.

The vote, which closed 2 September, was made by members of the Joint Technical Committee, Information Technology (JTC1). Each country which is a member of ISO and wishes to join, can be either a Participating ("P") or Observing ("O") member of the committee. In order to pass, the proposal must get two-thirds support of the P members and no more than one-quarter "no" votes amongst both P and O members. In both cases, abstentions are removed before calculating the ratios.

The results, announced on 4 September, were 53% "yes" votes by P members and 74% "yes" votes by P and O members, which fails both tests, though either failing is all that is required to defeat the measure. Many of the votes, on both sides, were made "with comments". The comments specify portions of the OOXML spec that need clarification or change before it can be ratified.

Those comments will be passed on to the Ecma International, sponsor of the OOXML standardization proposal, to propose resolutions to the comments. Ecma is also the organization that rubber-stamped OOXML as a standard last year. They have until mid-January 2008 to submit the proposed changes and the committee members have until the Ballot Resolution Meeting (BRM) in late February to review and discuss them. Microsoft's Brian Jones estimated there would be in the neighborhood of 10,000 comments, many probably duplicates. How a committee is supposed to analyze and handle that many resolutions, in a week-long meeting, is unclear.

If enough of the "no" votes are satisfied that their comments have been addressed at the meeting, they can change their votes to yes. If that vote takes place, it will be the P members in February who get to vote. It is quite possible that, similar to the run-up to this vote, O members will suddenly decide to switch to P members. At this point, OOXML proponents know roughly how many votes they need.

Andy Updegrove has been following the approval process closely in his Standards Blog and reported on eleven countries upgrading from O to P status in the two weeks before the voting closed. Whether Microsoft is behind this sudden interest by these countries can only be speculated upon, but nine of them voted yes, one no, and one abstained. Regardless of why they felt the need to jump into the voting at the last minute, it certainly seems fishy.

If the vote fails at the BRM, we still may not have seen the last of OOXML as a proposed international standard. All of this effort has been to "fast-track" the proposal. Ecma and Microsoft can still submit it for approval under the regular, lengthier, standardization process. That could easily take several years, which is why there is a big push to fast-track it.

OOXML is a complicated, 6000+ page specification, requiring a great deal of study and consideration before a sensible decision on it can be made. By upgrading at the last minute, it certainly appears that some of that review may have been skipped. If a country was interested in the process and wanted to have more input, it seems that they might have found time to do it in the nine months of review. If it is going to be an international standard, it should, at least, be a well scrutinized standard.

Predictably, Microsoft is proclaiming the voting result as a victory, of sorts, just a step along the way to ISO acceptance. In the Microsoft view, the no voters will reverse course "once their comments are resolved." Their confidence is palpable and, to opponents, galling. There is some indication that the pressure applied to national bodies resulted in a backlash, with at least one switching to a no vote because of it. It will certainly be interesting to see how some of the comments will be "resolved."

Microsoft has admitted that an employee offered "marketing assistance" to offset the $2500 entrance fee for Swedish companies to join their national voting committee. More than twenty showed up, just before the vote, to vote yes. Eventually, the vote was thrown out, not because of the blatant ballot-box stuffing, but because somehow one company voted twice. Sweden ended up abstaining, which was a win for OOXML, as it clearly would have been a no vote otherwise.

Microsoft has made various noises about the "inadequacies" of the Open Document Format (ODF) standard – ISO passed it with so few comments that a BRM was not required – and there is some truth buried deeply in the rhetoric. The proper response is not to propose another standard, but to improve the one that exists. ODF is implemented by multiple projects, with open source reference implementations. It is very unlikely that anyone, other than Microsoft, will be able to fully implement OOXML.

It's also not clear that anyone should want to implement OOXML as international standard. Besides being complex, the proposed standard contradicts other ISO standards. It also has the kind of bug-for-bug compatibility that is one of Microsoft's calling cards. An international standard should not have to implement a sloppy collection of bugs and compatibility hacks. It should be noted that OOXML contains some very important features – some not available in ODF – but that does not make it a good standard. It should not be adopted just to appease the world's largest software maker.

Microsoft is behaving like a company that is terrified of losing their near-monopoly in the office software market. If they, instead, embraced the standard – leaving behind extend and extinguish – and competed on the feature set of their office suite, their much touted "innovation" could shine. Unfortunately, for anyone with a historical perspective on Microsoft's tactics, this OOXML standardization move looks like the first act of some kind of customer lock-in scheme.

There will be close scrutiny on the participants between now and the vote in February. Hopefully, we will see no more gaming of the standards process, by anyone; the committee will judge the resolutions on their technical merit, coming to a sensible decision. From what we have seen so far, that seems unlikely, but one can hope.

Comments (11 posted)

Relicensing: what's legal and what's right

By Jonathan Corbet
September 4, 2007

The ath5k driver has been through more than the usual amount of legal trouble. This driver, for Atheros wireless chipsets, was originally reverse engineered and developed in the BSD community. It was reputed by some to have been improperly copied from proprietary Atheros code, requiring two different studies by the Software Freedom Legal Center before Linux developers were willing to believe that it was safe to use. This driver should be the cause of great joy - it will make it possible for vast numbers of laptop owners to run Linux with free drivers for the first time. But, first, there would appear to be one more set of legal hassles to overcome.

The latest trouble started when wireless developer Jiri Slaby posted a patch which stripped the ISC and BSD license notices from the source, replacing them with GPLv2 license text. It should be noted that this patch was not accepted into any repository anywhere and never became part of any exported Linux kernel tree. Nonetheless the BSD community exploded in a very public way. It is interesting to compare their public response to this posting with the sort of response they very loudly insisted was their due when they were found to have carried improperly relicensed GPL code in their repository for some time. That notwithstanding, it is worth taking the time to look at what has happened here.

The situation this time around is an interesting one. Much of the affected code was written by Reyk Floeter for OpenBSD and explicitly placed by him under a BSD-style license. The patch posted by Jiri Slaby stripped his license text; it was thus a clear violation of Reyk's license (which requires that the license text be preserved) and the wrong thing to do. This patch was never applied, and it will not be. There is no interest in the kernel community in violating anybody's license.

Much of the code, however, had been written earlier by Sam Leffler. He had used the BSD license, but had also included this text:

Alternatively, this software may be distributed under the terms of the GNU General Public License ("GPL") version 2 as published by the Free Software Foundation.

So, when this code was relicensed under GPLv2, that act was clearly carried out with the permission of the copyright holder. Mr. Leffler has since confirmed that this act was, by his intent, explicitly allowed. Nobody can complain about the legality of this particular change.

This did not stop OpenBSD leader Theo de Raadt from condemning the relicensing and calling it illegal:

It may seem that the licenses let one _distribute_ it under either license, but this interpretation of the license is false -- it is still illegal to break up, cut up, or modify someone else's legal document, and, it cannot be replaced by another license because it may not be removed. Hence, a dual licensed file always remains dual licensed, every time it is distributed.

How to square this statement with the clear notice saying that the code may be distributed under either license is left as an exercise for the reader. By this interpretation the BSD license becomes rather more viral than the GPL; it cannot be removed even when the copyright notice says otherwise. The BSD people are fine with their code being locked up and made completely proprietary, but it would seem that a GPLv2 relicensing, even when explicitly allowed by the copyright owner, is a different matter entirely.

The situation has since been resolved with this patch, which was prepared with the help of the Software Freedom Law Center. It is, perhaps, the only kernel patch ever to have been signed off by Bradley Kuhn. All of the required copyright attributions are now in place, and BSD-licensed code retains that license. Some of the additions made by Linux developers, however, remain under GPLv2, making the ath5k module, as a whole, a GPLv2-only product.

This solution should keep the lawyers happy, but certain members of the BSD community remain unimpressed. Quoting Theo de Raadt again:

When companies have taken our wireless device drivers, many many of them have given changes and fixes back. Some maybe didn't, but that is OK.

When Linux took our changes back, they immediately locked the door against changes moving back, by putting a GPL license on guard.

Why does our brother Linux take a file that is 90% BSD licensed, and refuse to let us see the 10% he adds?

It is a rare day in which Theo declares brotherhood with the Linux community. It may be tempting to dismiss this statement entirely, but, still, there is a point here. This code was obtained from developers who placed it under the BSD license; it was not written in the Linux community. There is something to be said for keeping it under a permissive license so that ongoing development can be shared between the Linux and BSD communities. Maintaining the license would be a neighborly (or even brotherly) thing to do, but it could also have immediate benefits in the form of shared maintenance and good will going forward.

In the end, distributing versions of the ath5k driver under GPLv2 (with the requisite copyright attributions maintained) is something which the Linux community is entitled to do. Anybody who does not like more restrictive conditions being applied to BSD-licensed code is well advised to avoid using the BSD license to begin with. But the legal ability to do something does not make that something the right course of action. Only the developers who have worked on the ath5k driver have the right to decide which license they will use, but it's worth saying that allowing the BSD community to make use of work done on the ath5k driver would be a friendly gesture and an acknowledgment of the value of the code we got from them. The benefits from such an act would likely outweigh any cost associated with allowing unwanted proprietary use of the code which has been added to this driver.

Comments (75 posted)

LCE: Linux, hardware vendors, and enterprise distributors

By Jonathan Corbet
September 5, 2007

Enterprise distributions are an important part of the economic success story of Linux. The creation of highly stable, highly supported distributions has brought significant revenue streams to some distributors and enabled the deployment of Linux into many "mission critical" situations. Enterprise distributions encourage the commercial world to take Linux seriously. At LinuxConf Europe, however, your editor has stumbled into a few conversations which characterized enterprise distributions as one of the bigger problems the development community has now. Then a talk by Dirk Hohndel made that point again in a different context.

[Dirk Hohndel] Dirk's talk was on how to get hardware vendors to support Linux. He knows what he is talking about: as the Linux CTO at Intel, Dirk is charged with, among other things, implementing Intel's commitment to provide free drivers for all of its hardware. His core point is that hardware vendors understand money better than anything else; getting them to support Linux will require showing them that it is in their economic interest to do so. To that end, he praised how Dell has taken care to put together hardware which is entirely supportable with free drivers to ship with Ubuntu pre-loaded. That sort of decision will quickly get the attention of the relevant vendors.

There were some suggestions on what to tell hardware vendors who are thinking about adding open source support for their products. Development in the open is crucial; drivers should be released early and made available for the community to work with. Intel did this with some of its early network drivers; the resulting level of interest and community participation exceeded all expectations. Vendors need to understand that they cannot design software just for their device, that they need to think bigger. This is a hard message for vendors to hear, but, in the long run, they benefit from a better kernel which will be better suited to their needs in the future.

It is important that software support be available immediately when the hardware is made available. If there is no driver for several months after the hardware release, competitors will have had time to get their answering products to market before Linux users can use the original product. That sort of time lag is forever in the hardware world. Vendors also need to continue to maintain their code after it gets into the mainline; there is nobody else who can ensure that it continues to work on all versions of the hardware.

One thing that the community could do to help would be to improve the tone of the discussion on our mailing lists. That tone is often quite hostile; it does not create a friendly environment for engineers working for hardware vendors who want to engage with the community.

There is another place where life gets difficult for hardware vendors, though; this is where the enterprise distributors come in. When Intel releases a driver for a new product, that driver goes into the mainline kernel. But the release cycle implemented by the enterprise distributors will not pick up that driver for as much as two years after it gets into the mainline. So enterprise customers are not able to make use of that hardware for a long time after its release, even though the driver is available.

Intel has competitors which will never release free drivers for their hardware. But they do put out closed-source modules for the enterprise distributions. So their customers are able to use that hardware from the outset.

In other words, Intel is being punished for playing by the rules and releasing their drivers to the community. This is exactly the wrong sort of incentive to create for hardware vendors. If they conclude that they will do better by just shipping binary-only modules, that is the course they will take.

Dirk's complaint echoes other conversations your editor has heard in the last few days. The development community has been very insistent in its message that code should be merged upstream, and that this merge should happen early. In the kernel area, the development cycle has been shortened to the point that changes find their way into a stable release after a maximum of a few months. But the enterprise distributions, by freezing kernels for years at a time, are pushing us back to the old, multi-year development cycle and sending a very different message to vendors.

The discussion of enterprise distributor policies is not new; see this article from last June for a previous installment. But this discussion appears to be reaching a new level of urgency, with some developers calling enterprise distributions one of the biggest problems the community is facing today. There is a fundamental conflict between the fast-moving development community and the sort of stasis that the enterprise distributions try to create. This conflict becomes especially acute when customers want the best of both worlds: no changes combined with fast-moving development and support for current hardware.

There are no easy solutions in sight. The enterprise distributions may be forcing a model from the proprietary software world on Linux, but there are reasons for the creation of that model in the first place. The kernel development community has gotten quite good at integrating vast numbers of changes while still producing a stable result, but any software which has recently seen significant changes will occasionally produce unwelcome surprises when dropped into a production environment. Slowing the rate of development is not an option, and it should be noted that the enterprise distributors are at the top of the list of companies which are setting the pace. Getting around this problem is going to be a challenge - but this community is good at facing challenges.

Comments (33 posted)

LWN advertising update

The reader survey back in February provided lots of interesting feedback, from the responses as well as the comments. We have been slowly implementing some of the suggestions and we are not finished yet. Some of the comments indicated that more advertising would be tolerated, perhaps even encouraged. With that in mind, we have been exploring more options in that area.

We are very aware of the fine line that must be walked here. The last thing we (or our advertisers) want to do is to annoy our loyal readers, so we are proceeding cautiously. The latest advertising technique we are trying is "in-text advertising". The idea is to serve ads that are relevant to keywords in an article by highlighting those words and popping up an ad when a reader rolls over the word with their mouse.

We have also added the ability of subscribers – at any level – to choose whether they see them or not. Our "project leader" subscribers have long had the ability to turn off all advertising via the customization options behind the "My Account" link. For in-text advertising, we defaulted the option to "off"; subscribers can alter that if they wish and "project leaders" can control those ads independently of other advertising. As with Google ads, those running with Javascript disabled will not see the ads.

These new ads were just added late last week, and we are still fine tuning, but we hope it is a relatively painless way to bring in some needed revenue without filling every square inch of the site with ads. We will be looking at other advertising options in the near term as well, with an eye towards maintaining a reasonable balance. As always, we are very interested in the thoughts of our readers, either via a comment below or email to lwn-AT-lwn.net.

While we are on the subject, please keep the LWN text ads in mind for a very cost effective means of reaching LWN readers. If you, or someone you know, is trying to get the word out about a product, service, job, or project, the text ad box has a prominent place on roughly half of our pageviews. We are always open to hearing other advertising options, feel free to contact us at sales-AT-lwn.net to discuss.

Comments (136 posted)

Page editor: Jake Edge

Security

Software liability laws: a dangerous solution

September 5, 2007

This article was contributed by Chase Venters

The readers of LWN do not need to be reminded that the software industry as a whole has a big problem with computer security. One proposal aims to redress this state of affairs: the concept of legislation designed to create financial liability for the vendors of buggy software. This idea is applauded by many such as Bruce Schneier, author of the famous book Applied Cryptography. But despite the support of notable authors, software liability laws are themselves a dangerous liability to the software industry.

One can readily find sympathy in the potential impact of software liability laws on developers of free and open-source software. Many of these developers are working on a volunteer basis, and holding them financially liable for the code they write and release freely could have a chilling effect on the development of free software. Of course, liability laws might be written to exclude programs given away for free, or they might concern themselves with vendors and leave individual developers out of the picture.

Unfortunately, the dangers of software liability laws don't subside when individual developers are granted immunity. One of our community's most prominent projects, the Linux kernel, was never intended to grow off the 386 but is now found running everything from stock markets to supercomputers and military gear. This ubiquity brings demand for services, support, and a single throat to choke, which is the bread and butter of Red Hat and other businesses. When a vendor is selling free software, and we make the vendor financially liable for bugs in the code it is selling but did not write, we risk significant disruption to our cherished development models.

Further complications arise when we imagine possible liability lawsuits. In the event of a security breach, directing blame and assigning liability can be problematic. Picture a system that runs Oracle on top of Red Hat Enterprise Linux, and imagine that the Oracle database is breached due to a bug in glibc. Does the buck stop with Oracle, Red Hat, or both? What if Novell provided the operating system, but the glibc developer who introduced the bug responsible for the breach is paid by Red Hat? An attorney might decide to sue all three parties, especially if it is unclear which component was vulnerable.

Consider also that virtually all software developers attach disclaimers of warranty to their products. These disclaimers are nearly ubiquitous in free software licenses, and are even found attached to some public domain declarations. For software liability laws to have teeth, these disclaimers must be nullified. But when dealing with software designed to address a broad range of users, one must carefully select use cases in which default warranties apply. There is a big difference between a database full of blog postings, a database full of credit card numbers and a database full of top secret government intelligence.

We must also recognize the differences in the types of failures under which warranty is considered appropriate. Ford Police Interceptors had a reputation for exploding when they were rear-ended. Ford also suffered a blow to its reputation, along with tire manufacturer Firestone, when tires on Ford Explorer vehicles were found to spontaneously fail. In both of these cases, the loss of human life was not the result of a willful human actor but was caused instead by spontaneous failure under expected operating conditions. By sharp contrast, software security breaches generally don't endanger life or limb, and successful exploits are not accidents but are rather the result of willful attack.

The difference between accidental and intentional failure is an important one. Because the laws of physics and the nature of accidents do not change, we can expect auto manufacturers to build reliable gas tanks and tires. But in computer security, attackers discover new techniques each and every year. The equation for software is always on the move.

At this point, advocates of software liability laws still hoping to sell their wares need to choose their words carefully, and so they plead for a standard based on best practice. But who defines best practice in an industry that is changing so fast? The pioneers of the Internet didn't predict many of the problems we're facing today, yet few would call them negligent. Real "best practice" is a moving target that is carried by the tides of the times, and in the world of technology, the waves are a mile tall and move thousands of miles per hour.

These and other questions must be addressed if software liability laws are to succeed. Unfortunately, legislators are notoriously bad at understanding and regulating technology. Observers of SCO v. IBM surely agree that court cases are long, complicated and costly. Those with faith in any branch of government to appropriately legislate technology should reexamine the Digital Millennium Copyright Act, a law that continues to have a chilling effect on free software development, and Universal v. Reimerdes, the case in which 2600 Magazine's publication of DeCSS was suppressed.

Security is, of course, a problem, and the case can be made that someone must be held liable. We prosecute the criminals who breach computer security, but if we're going to put burden on anyone else, we should choose the companies that leak personal information to these criminals when their security fails. In some ways, these companies might be held liable today, but we would do well to consider tightening down the screws. By increasing the burden on these data aggregators, the demand for secure software will increase. This gives the best solutions that engineers produce a market advantage, and financially rewards security-conscious vendors. This approach to liability also addresses the need for best practices and defense in depth when implementing and maintaining networks and databases. By concentrating liability in this way, we eliminate the complications that result from playing the blame game with a group of software vendors. Whose security was breached is a much easier question to litigate than how it was done and how it might have been stopped.

As Schneier has pointed out, companies tend to convert variable cost liabilities into fixed cost insurance plans. Insurers have a financial incentive to excel at evaluating risk, and it isn't inconceivable that they might view the use of open code their experts can review a reason to offer lower premiums. Furthermore, putting liability on data aggregators allows those organizations to make choices on how much insurance they are willing to buy. A technologically sound small business might adopt best practices and spend less on insurance, or they might decide to skip out on insurance entirely. But if insurance were expensive and the danger of a security breach was still unacceptable, they might reconsider the practice of permanently storing large amounts of customer data, something that their customers tend to consider an invasion of their privacy anyway.

Software code is quite complex, but we can write all kinds of new and useful software because it is intangible and cheap to produce. Placing liability on software vendors threatens to dramatically change this landscape. We can expect to see reduced participation, hampered innovation, and skyrocketing costs. We should carefully consider whether perfect security is a goal or an expectation, and educate users on the need for compartmentalization, defense in depth, patching, and best practices in their networks. If we approach the issue in this way, we can improve security overall with minimal risk to the efficiency of the software industry.

Comments (32 posted)

New vulnerabilities

aide: checksum errors

Package(s):aide CVE #(s):CVE-2007-3849
Created:September 4, 2007 Updated:September 5, 2007
Description: Advanced Intrusion Detection Environment (AIDE) is a file integrity checker and intrusion detection program. A flaw was discovered in the way file checksums were stored in the AIDE database. A packaging flaw in the Red Hat AIDE rpm resulted in the file database not containing any file checksum information. This could prevent AIDE from detecting certain file modifications.
Alerts:
Red Hat RHSA-2007:0539-01 2007-09-04

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-4510 CVE-2007-4560
Created:September 3, 2007 Updated:February 13, 2008
Description: Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-0170 2008-01-22
Gentoo 200709-14 2007-09-20
Fedora FEDORA-2007-2050 2007-09-07
Mandriva MDKSA-2007:172 2007-08-31
Debian DSA-1366-1 2007-09-01

Comments (none posted)

fetchmail: denial of service

Package(s):fetchmail CVE #(s):CVE-2007-4565
Created:September 5, 2007 Updated:September 26, 2007
Description: fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
Alerts:
Ubuntu USN-520-1 2007-09-26
Debian DSA-1377-2 2007-09-21
Debian DSA-1377 2007-09-21
Mandriva MDKSA-2007:179 2007-09-11
Foresight FLEA-2007-0053-1 2007-09-06
rPath rPSA-2007-0178-1 2007-09-05
Fedora FEDORA-2007-1983 2007-09-04
Fedora FEDORA-2007-689 2007-09-04

Comments (none posted)

gallery2: multiple unspecified vulnerabilities

Package(s):gallery2 CVE #(s):CVE-2007-4650
Created:September 5, 2007 Updated:November 9, 2007
Description: Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked items" in (a) WebDAV and (b) Reupload modules.
Alerts:
Debian DSA-1404-1 2007-11-08
Gentoo 200711-03 2007-11-01
Fedora FEDORA-2007-2020 2007-09-04

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0558 CVE-2007-1217
Created:September 4, 2007 Updated:November 14, 2007
Description: A flaw in the ISDN CAPI subsystem could allow a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine.

A flaw in the perfmon subsystem on ia64 platforms could allow a local user to cause a denial of service.

Alerts:
Red Hat RHSA-2007:0671-01 2007-08-16
Red Hat RHSA-2007:0673-01 2007-08-08
Red Hat RHSA-2007:0672-01 2007-08-08
Red Hat RHSA-2007:0705-01 2007-09-13
Red Hat RHSA-2007:0774-01 2007-09-04

Comments (none posted)

krb5: buffer overflow, uninitialized pointer

Package(s):krb5 CVE #(s):CVE-2007-3999 CVE-2007-4000
Created:September 4, 2007 Updated:March 24, 2008
Description: Tenable Network Security discovered a stack buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash.

Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash.

Alerts:
Fedora FEDORA-2008-1017 2008-03-06
SuSE SUSE-SR:2007:024 2007-11-22
Debian DSA-1387 2007-10-15
Gentoo 200710-01 2007-10-04
Red Hat RHSA-2007:0951-01 2007-10-02
Red Hat RHSA-2007:0913-01 2007-09-19
Trustix TSLSA-2007-0026 2007-09-17
Mandriva MDKSA-2007:181 2007-09-12
Gentoo 200709-01 2007-09-11
Ubuntu USN-511-2 2007-09-07
Mandriva MDKSA-2007:174-1 2007-09-07
Fedora FEDORA-2007-694 2007-09-07
Fedora FEDORA-2007-2066 2007-09-07
Debian DSA-1367-2 2007-09-06
Foresight FLEA-2007-0050-1 2007-09-06
Mandriva MDKSA-2007:174 2007-09-06
Red Hat RHSA-2007:0892-01 2007-09-07
rPath rPSA-2007-0179-1 2007-09-06
Ubuntu USN-511-1 2007-09-04
Fedora FEDORA-2007-2017 2007-09-04
Fedora FEDORA-2007-690 2007-09-04
Debian DSA-1368-1 2007-09-04
Debian DSA-1367-1 2007-09-04
Red Hat RHSA-2007:0858-01 2007-09-04

Comments (none posted)

mapserver: multiple cross-site scripting vulnerabilities

Package(s):mapserver CVE #(s):CVE-2007-4542 CVE-2007-4629
Created:September 5, 2007 Updated:April 7, 2008
Description:

CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.

CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.

Alerts:
Debian DSA-1539-1 2008-04-04
Fedora FEDORA-2007-2018 2007-09-04

Comments (none posted)

postfix-policyd: arbitrary code execution

Package(s):postfix-policyd CVE #(s):CVE-2007-3791
Created:August 30, 2007 Updated:September 5, 2007
Description: The postfix-policyd anti-spam plugin for the postfix mta does not correctly test the bounds of incoming SMTP commands. This can be exploited for the remote execution of arbitrary code.
Alerts:
Debian DSA-1361 2007-08-29

Comments (none posted)

tcp-wrappers: unauthorized access

Package(s):tcp-wrappers CVE #(s):CVE-2007-5137
Created:August 30, 2007 Updated:October 13, 2007
Description: The TCP wrapper library can improperly allow connections to services that do not have server-side connection details specified. Remote attackers can connect to blocked services.
Alerts:
Ubuntu USN-507-1 2007-08-30

Comments (none posted)

vavoom: multiple vulnerabilities

Package(s):vavoom CVE #(s):CVE-2007-4533 CVE-2007-4534 CVE-2007-4535
Created:September 5, 2007 Updated:September 5, 2007
Description: Security update fixing various format strings vulnerabilities and a DOS vulnerability in the vavoom server, this fixes: CVE-2007-4533, CVE-2007-4534 & CVE-2007-4535. Also see bugzilla bug 256621.
Alerts:
Fedora FEDORA-2007-1977 2007-09-04

Comments (none posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2007-3372
Created:June 28, 2007 Updated:September 18, 2007
Description: Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function.
Alerts:
Mandriva MDKSA-2007:185 2007-09-17
Foresight FLEA-2007-0030-1 2007-06-28

Comments (none posted)

bochs: buffer overflow

Package(s):bochs CVE #(s):CVE-2007-2893
Created:July 20, 2007 Updated:November 19, 2007
Description: A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Alerts:
Gentoo 200711-21 2007-11-17
Fedora FEDORA-2007-1778 2007-08-23
Debian DSA-1351-1 2007-08-07
Fedora FEDORA-2007-1153 2007-07-19

Comments (none posted)

bugzilla: several vulnerabilities

Package(s):bugzilla CVE #(s):
Created:August 28, 2007 Updated:August 29, 2007
Description: This Bugzilla security advisory covers several vulnerabilities in Bugzilla 2.20.4, 2.22.2, and 3.0.
Alerts:
Fedora FEDORA-2007-1853 2007-08-27

Comments (1 posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Alerts:
Debian DSA-1433-1 2007-12-16
Debian-Testing DTSA-55-1 2007-09-03
Fedora FEDORA-2007-1160 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200708-04 2007-08-09
Mandriva MDKSA-2007:150 2007-07-25
Debian DSA-1340-1 2007-07-24

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

gpdf: integer overflow

Package(s):cups poppler xpdf CVE #(s):CVE-2007-3387
Created:July 31, 2007 Updated:November 28, 2007
Description: The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more.
Alerts:
Fedora FEDORA-2007-3390 2007-11-20
Fedora FEDORA-2007-3308 2007-11-20
Gentoo 200710-20 2007-10-18
Gentoo 200710-08 2007-10-09
Gentoo 200709-12 2007-09-19
Fedora FEDORA-2007-685 2007-08-30
Debian-Testing DTSA-54-1 2007-08-22
Fedora FEDORA-2007-669 2007-08-13
Fedora FEDORA-2007-644 2007-08-13
Debian DSA-1357-1 2007-08-19
Mandriva MDKSA-2007:162 2007-08-14
Mandriva MDKSA-2007:165 2007-08-15
Foresight FLEA-2007-0046-1 2007-08-14
Fedora FEDORA-2007-1614 2007-08-15
Mandriva MDKSA-2007:164 2007-08-14
Mandriva MDKSA-2007:163 2007-08-14
Foresight FLEA-2007-0045-1 2007-08-14
Foresight FLEA-2007-0044-1 2007-08-14
Mandriva MDKSA-2007:158 2007-08-13
Mandriva MDKSA-2007:160 2007-08-13
Mandriva MDKSA-2007:161 2007-08-13
Mandriva MDKSA-2007:159 2007-08-13
Fedora FEDORA-2007-1594 2007-08-13
Debian DSA-1355-1 2007-08-13
Slackware SSA:2007-222-05 2007-08-13
Slackware SSA:2007-222-02 2007-08-13
Fedora FEDORA-2007-1547 2007-08-10
Fedora FEDORA-2007-1541 2007-08-10
Debian DSA-1354-1 2007-08-13
rPath rPSA-2007-0154-1 2007-08-10
SuSE SUSE-SR:2007:016 2007-08-10
Ubuntu USN-496-2 2007-08-07
Debian DSA-1352-1 2007-08-07
Debian DSA-1350-1 2007-08-06
Debian DSA-1349-1 2007-08-05
Debian DSA-1348-1 2007-08-04
Debian DSA-1347-1 2007-08-04
SuSE SUSE-SR:2007:015 2007-08-03
Ubuntu USN-496-1 2007-08-03
Red Hat RHSA-2007:0731-01 2007-08-01
Red Hat RHSA-2007:0735-01 2007-07-30
Red Hat RHSA-2007:0732-01 2007-07-30
Red Hat RHSA-2007:0729-01 2007-07-30
Red Hat RHSA-2007:0730-01 2007-07-30
Red Hat RHSA-2007:0720-01 2007-07-30

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dovecot: privilege escalation

Package(s):dovecot CVE #(s):CVE-2007-4211
Created:August 15, 2007 Updated:May 21, 2008
Description: From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions."
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Fedora FEDORA-2007-664 2007-08-20
rPath rPSA-2007-0161-1 2007-08-14

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

emacs21: denial of service

Package(s):emacs21 CVE #(s):CVE-2007-2833
Created:June 21, 2007 Updated:August 29, 2007
Description: The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images".
Alerts:
Ubuntu USN-504-1 2007-08-28
rPath rPSA-2007-0133-1 2007-06-25
Mandriva MDKSA-2007:133 2007-06-21
Debian DSA 1316-1 2007-06-21

Comments (none posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Alerts:
Gentoo 200711-04 2007-11-06
Gentoo 200707-03 2007-07-02
SuSE SUSE-SA:2007:042 2007-07-05
Debian DSA-1325-1 2007-06-29
Fedora FEDORA-2007-594 2007-06-27
Fedora FEDORA-2007-595 2007-06-27
Mandriva MDKSA-2007:136 2007-06-26
Red Hat RHSA-2007:0510-01 2007-06-25
Red Hat RHSA-2007:0509-01 2007-06-25
Debian DSA-1321-1 2007-06-23
Ubuntu USN-475-1 2007-06-21
Fedora FEDORA-2007-0464 2007-06-16

Comments (1 posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Alerts:
Gentoo 200710-19 2007-10-18
Debian DSA-1343-2 2007-09-25
Debian DSA-1343-1 2007-07-31
SuSE SUSE-SA:2007:040 2007-07-04
Fedora FEDORA-2007-0836 2007-07-03
Fedora FEDORA-2007-538 2007-06-11
Fedora FEDORA-2007-541 2007-06-11
Ubuntu USN-439-2 2007-06-11
Mandriva MDKSA-2007:114 2007-06-05
Gentoo 200705-25 2007-05-31

Comments (3 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-3844 CVE-2007-3845
Created:August 1, 2007 Updated:February 20, 2008
Description:

A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)

Alerts:
Mandriva MDVSA-2007:047 2007-02-19
Fedora FEDORA-2007-3414 2007-11-16
Fedora FEDORA-2007-3431 2007-11-16
Red Hat RHSA-2007:0981-01 2007-10-19
Red Hat RHSA-2007:0980-01 2007-10-19
Red Hat RHSA-2007:0979-01 2007-10-19
Debian DSA-1391-1 2007-10-19
Gentoo 200708-09 2007-08-14
rPath rPSA-2007-0157-1 2007-08-10
Slackware SSA:2007-215-01 2007-08-06
Debian DSA-1346-1 2007-08-04
Debian DSA-1345-1 2007-08-04
Debian DSA-1344-1 2007-08-03
Foresight FLEA-2007-0040-1 2007-08-03
Slackware SSA:2007-213-01 2007-08-02
Mandriva MDKSA-2007:152 2007-08-01
Foresight FLEA-2007-0039-1 2007-08-01
Ubuntu USN-493-1 2007-07-31

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Alerts:
Ubuntu USN-469-2 2007-08-29
SuSE SUSE-SA:2007:036 2007-06-27
Mandriva MDKSA-2007:131 2007-06-20
Gentoo 200706-06 2007-06-19
Foresight FLEA-2007-0027-1 2007-06-20
Fedora FEDORA-2007-0544 2007-06-18
Mandriva MDKSA-2007:126-1 2007-06-16
Mandriva MDKSA-2007:126 2007-06-15
Slackware SSA:2007-165-01 2007-06-15
Debian DSA-1308-1 2007-06-14
Mandriva MDKSA-2007:120 2007-06-12
Mandriva MDKSA-2007:119 2007-06-12
Debian DSA-1305-1 2007-06-13
Debian DSA-1306-1 2007-06-12
Debian DSA-1300-1 2007-06-07
Ubuntu USN-469-1 2007-06-05
Slackware SSA:2007-152-02 2007-06-04
Ubuntu USN-468-1 2007-06-01

Comments (3 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat RHSA-2007:0724-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1138 2007-07-18

Comments (none posted)

flac123: arbitrary code execution

Package(s):flac123 CVE #(s):CVE-2007-3507
Created:July 13, 2007 Updated:October 22, 2007
Description: A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length.
Alerts:
Gentoo 200709-06 2007-09-14
Fedora FEDORA-2007-1045 2007-07-12

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13<